Files
pnpm/.github/workflows
Zoltan Kochan b7908f96e7 chore(release): stage the wrapper packages in the Rust release workflow (#12804)
The Rust release workflow authenticated every publish via npm trusted
publishing, but npm allows a single trusted publisher per package and
`pnpm` / `@pnpm/exe` have theirs bound to release.yml (the v11 TS
releases). The OIDC token exchange therefore returned 404, pnpm skipped
OIDC, and the unauthenticated PUT failed with E404.

Split the publish into two steps:

1. The `@pnpm/exe.<target>` natives are published only from this
   workflow, so they keep trusted publishing and go live directly.
2. The `pnpm` and `@pnpm/exe` wrappers are staged with
   `pnpm stage publish` using the static NPM_TOKEN. Nothing goes live
   from CI for those two names; a maintainer promotes them with
   `pnpm stage approve <stage-id> --otp`, which is where the
   proof-of-presence is consumed. Stage ids are teed into the job
   summary for the approver.

The steps must stay separate because `pnpm publish` skips OIDC as soon
as a static _authToken is configured (pnpm/pnpm#11495). `--provenance`
keeps working in both steps: it needs only the `id-token: write` OIDC
token, not trusted publishing. `set -o pipefail` guards the tee pipe
because the runner's default bash is -e without pipefail.
2026-07-04 22:51:50 +02:00
..